XMTP Agents

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate XMTP agent bridge guide, but its default setup can expose a tool-capable local agent to messages from strangers with only prompt-based limits for public users.

Install only if you intentionally want a persistent XMTP-connected agent. Verify the owner inbox ID, protect the XMTP wallet/encryption keys, run the bridge in a contained environment, and use a separate no-tools/no-files public backend instead of relying on a prompt prefix for strangers.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The skill claims the owner/public split prevents strangers from triggering sensitive actions, but multiple documented implementations enforce public restrictions only by prepending a prompt string. Because arbitrary XMTP users can send raw untrusted input to a tool-capable agent, prompt injection can bypass these soft controls and lead to file access, command execution, memory disclosure, or other unsafe tool use.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal